Wily tested in QEMU/OVMF with signed kernel, with and without MokSBState enabled.
** Description changed: Add code to implement secure boot checks. Unsigned or incorrectly signed modules will continue to install while tainting the kernel _until_ EFI_SECURE_BOOT_SIG_ENFORCE is enabled. + + When EFI_SECURE_BOOT_SIG_ENFORCE is enabled, then the only recourse for + platforms booting in secure boot mode with a DKMS dependency is to + disable secure boot using mokutils: + + sudo mokutil --disable-validation + sudo reboot ** Description changed: Add code to implement secure boot checks. Unsigned or incorrectly signed modules will continue to install while tainting the kernel _until_ EFI_SECURE_BOOT_SIG_ENFORCE is enabled. When EFI_SECURE_BOOT_SIG_ENFORCE is enabled, then the only recourse for platforms booting in secure boot mode with a DKMS dependency is to - disable secure boot using mokutils: + disable secure boot using mokutil: sudo mokutil --disable-validation sudo reboot ** Description changed: + This work is authorized by an approved UOS spec at + https://wiki.ubuntu.com/Spec/InstallingUnsignedSecureBoot + Add code to implement secure boot checks. Unsigned or incorrectly signed modules will continue to install while tainting the kernel _until_ EFI_SECURE_BOOT_SIG_ENFORCE is enabled. When EFI_SECURE_BOOT_SIG_ENFORCE is enabled, then the only recourse for platforms booting in secure boot mode with a DKMS dependency is to disable secure boot using mokutil: sudo mokutil --disable-validation sudo reboot ** Description changed: - This work is authorized by an approved UOS spec at + This work is authorized by an approved UOS spec and blueprint at https://wiki.ubuntu.com/Spec/InstallingUnsignedSecureBoot Add code to implement secure boot checks. Unsigned or incorrectly signed modules will continue to install while tainting the kernel _until_ EFI_SECURE_BOOT_SIG_ENFORCE is enabled. When EFI_SECURE_BOOT_SIG_ENFORCE is enabled, then the only recourse for platforms booting in secure boot mode with a DKMS dependency is to disable secure boot using mokutil: sudo mokutil --disable-validation sudo reboot -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1566221 Title: linux: Enforce signed module loading when UEFI secure boot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1566221/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
